A Windows XP help forum. PCbanter

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Go Back   Home » PCbanter forum » Microsoft Windows 7 » Windows 7 Forum
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

Uninitialized disk



 
 
Thread Tools Rate Thread Display Modes
  #1  
Old July 18th 17, 08:38 AM posted to alt.windows7.general
T
external usenet poster
 
Posts: 4,600
Default Uninitialized disk

Hi All,

I came across a Windows computer yesterday that had a 4 GB disk
that Disk Manager wanted to initialize. That would make it a
raw disk right out of the wrapper (or someone had at it with `dd`).

Am I correct that the various backup programs (Marcuim Reflect,
etc.) out there that write to hidden directories still
require an initialized, partitioned, and formatted drive?

If so, then it was just an extra drive no one ever
initialized, partitioned, and formatted for use.
Otherwise I have to hunt down who is using the
drive. (They use a Cloud based backup service and
everything is working on the computer. Well, after
I had at it.)

Many thanks,
-T

Hopefully I did not typo any limey swear words this time! :'(
Ads
  #2  
Old July 18th 17, 09:45 AM posted to alt.windows7.general
Paul[_32_]
external usenet poster
 
Posts: 11,873
Default Uninitialized disk

T wrote:
Hi All,

I came across a Windows computer yesterday that had a 4 GB disk
that Disk Manager wanted to initialize. That would make it a
raw disk right out of the wrapper (or someone had at it with `dd`).

Am I correct that the various backup programs (Marcuim Reflect,
etc.) out there that write to hidden directories still
require an initialized, partitioned, and formatted drive?

If so, then it was just an extra drive no one ever
initialized, partitioned, and formatted for use.
Otherwise I have to hunt down who is using the
drive. (They use a Cloud based backup service and
everything is working on the computer. Well, after
I had at it.)

Many thanks,
-T

Hopefully I did not typo any limey swear words this time! :'(


On a "uninitialized" disk, you can scan with TestDisk.
It will look for a sector with "NTFS" in it.

On a 4TB drive, you'd be "nuts" to be doing this for fun.
Only do that, if you really suspect there is data on it,
data that you need.

*******

If you're good with HxD...

https://mh-nexus.de/en/hxd/

if you run the executable as Administrator, there is a menu item
somewhere on the right, that opens disks for raw I/O. In there,
you can open the 4TB drive, and skim through the first megabyte or
so, looking for a sector with "NTFS" as a string in it. That could
be an NTFS file system header. Vista+ uses megabyte alignment, and
as long as some clever person didn't leave a "gap" at the front, you
might spot some evidence of previous usage. The policy at disk drive
companies has changed over the years, and today there probably
isn't a file system on *internal* OEM bagged drives. If you pulled
that drive from a USB enclosure, the "consumer" approach to drives
means adding a file system for "comfort". So Seagate or WDC could
have put something on there, rather than your client.

On a GPT disk, the first 128MB could be GPT partition table
entries, and the 129th MB could contain the first "NTFS" sector.

HxD really isn't any better than TestDisk, but you'll also not
be tempted to sit there for eight hours, watching the track counter
tick up :-)

*******

I'm sure you'll think of some whizzy heuristic that quickly
tells you what the disk was used for.

Factory initialization does not guarantee the disk is zeroed,
and some other recurring hex pattern may be on there. Modern drives
are likely to use a "scrambler" on the circuit board, so writing
all zeros doesn't really put any kind of "flat line" signal
on the disk. The signal at the head level, on a zeroed disk,
is quite likely to be wavy gravy.

If you're bored, you could run Photorec or Recuva or...
well, you get the idea. Those can scan for files by their
metadata headers (EXIF, the word "GIF87" or whatever). So
if some plaintext data was stored on there at one time,
then a recovery tool may spit out 100,000 garbage files
in no time.

Paul
  #3  
Old July 18th 17, 05:41 PM posted to alt.windows7.general
VanguardLH[_2_]
external usenet poster
 
Posts: 10,881
Default Uninitialized disk

T wrote:

I came across a Windows computer yesterday that had a 4 GB disk that
Disk Manager wanted to initialize. That would make it a raw disk
right out of the wrapper (or someone had at it with `dd`).

Am I correct that the various backup programs (Marcuim Reflect, etc.)
out there that write to hidden directories still require an
initialized, partitioned, and formatted drive?

If so, then it was just an extra drive no one ever initialized,
partitioned, and formatted for use. Otherwise I have to hunt down who
is using the drive. (They use a Cloud based backup service and
everything is working on the computer. Well, after I had at it.)


4 GB is very v-e-r-y VERY small. If GB was the correct sizing, I
suspect what you see as a "drive" is not a disk but either a small
partition on the disk or unallocated space on the disk. Many times you
cannot get all space on a disk to allocate to within a partition. The
sizing of the disk isn't a multiple of the sizing of clusters within a
partition. For example, for my "256GB" SSD, 9 MB cannot be assigned to
a partition. I don't remember how big I've seen the unallocated section
that is too oddball to put into a partition but 4 GB sounds too big.
That's why I suspect it is a partition that is a drive on a disk along
with other drives (partitions) on the same disk.

Backup programs can backup by sector (within a partition). I haven't
used any backup programs that will copy sectors of unallocated space on
a disk. Backup programs usually do logical image/file backups by using
a file system (within a partition). You cannot have any file system
until after you format a partition. Formatting structures the partition
by establishing a file table within the partition and updating the
partition tables back in the MBR/GPT block.

I've not used a backup program that uses hidden folders for itself.
There are snapshot programs that use rootkit-style drivers to hide their
clusters from the normal OS file API commands, like Comodo's Time
Machine (very flaky, corrupts file systems, abandoned) and other
snapshotting programs but I don't consider those "backup programs".
These tools are saving their snapshots on the same drive so they want to
hide them to prevent accidental deletion or corruption of their
snapshots. Some just use file system attributes to prevent accidental
erasure of snapshots: their folders are "hidden". An example are
virtual disk tools where their driver redirects all file I/O into their
virtual disk instead of to the physical disk, and upon boot their driver
discards the virtual disk (or doesn't use it) so the OS and programs are
back to writing on the real disk (well, writing to the virtual disk is
writing to the physical disk but you get what I mean). Unlike virtual
machines, virtual disk tools had you writing to the real disk instead of
an emulated one so there was no performance hit (other than their driver
doing file I/O redirects). Typically these are referred to as rollback
tools; e.g., Deep Freeze, Rollback Restore Rx and its little brother
Reboot Restore Rx (that latter one nailed me, too), Microsoft's
SteadyState (discontinued), the one that comes in Acronis True Image
(forget its name), ToolWiz Time Machine (free), and Returnil's Virtual
System or System Safe Free (no longer available, no free version any
more, went to payware-only QuietZone which, I think, was just
web-centric virtualization but that failed and returnilvirtualsystem.com
died). This is not the same a VMMs (Virtual Machine Managers) that
create .vhd or other virtual disk (VD) files within the file system
within a partition that are virtual machines to load within the
restricted or sandboxed environment of the guest OS running in an VM.
Their VDs are not hidden in the host's file system. I'm not sure what
all you consider is a backup tool. Backup can mean different things to
different users.

"Initialize" in Disk Manager means to add a unique (to all disks
initialized within Windows) 4-byte hash value to the drive ID record in
the MBR/GPT block. That allows identifying the disk no matter what is
its order of physical detection. The disk can be moved to another port
or even to a different controller and its physical enumeration will
change but the OS can still identify the disk as the same one by its
drive ID which allows the OS to keep the drive letter assignment in
place after moving a disk. Initializing also determine the type of boot
block created in sector 0 of the hard disk: MBR or GPT. Initializing is
typically performed on new disks (that have not been pre-formatted from
the factory since almost all have been for quite a while). It will wipe
the partition table. This is why folks think you lose your data when
you initialize. The data hasn't been touched until you follow with
partitioning (which doesn't write outside the partition table) and
writing to the partitioned areas. That's why you can use recovery tools
after partition tables have been corrupted or erased to relocate where
the partitions might've been or to recover data from sectors where there
are no longer partitions defined with file systems to cover that area of
the disk. Initializing doesn't erase anything. It's the later
formatting which causes loss of tracking the clusters and then later
writing that actually obliterates the content of those clusters.
Initialization does not format a drive. Initialization does wipe the
partition records in the partition table. Initialization does add a
drive sig to the MBR/GPT so the OS can track the disk. The disk sig is
used by Windows to track mounting of partitions on disk(s).
Initialization will synchronize the drive sig written into the MBR/GPT
with the one recorded in the registry. Initialization doesn't work at
the partition level. It works on the disk level. So all the mentioned
actions occur on the disk level. If you have other partitions on that
same disk with the 4 GB partition or unallocated space, initializing
that disk erases the partition records. You did not mention if the 4 GB
partition or unallocated space is the only partition or only unallocated
block on that disk.

https://technet.microsoft.com/en-us/...(v=ws.11).aspx
http://www.multibooters.com/tutorial...re-in-mbr.html

Some backup programs create a "hidden" partition in which to store their
backup files; e.g., Acronis Secure Zone and Paragon Backup Capsule.
Both use the same technique because developers from one changed to the
other employer. They hide the partition by NOT assigning a drive letter
to the partition and by using a non-standard partition type value in the
partition record in the partition table in the MBR/GPT. Without a drive
letter (the volume is not mounted), most programs, including most
malware, cannot find the backup files to encrypt, delete, or corrupt
them. The non-standard partition type attempts to keep Windows and
drive tools at bay. Formatting is standard, though, using FAT32.
However, 4 GB sounds pretty tiny for a hidden partition to store backup
files but then you didn't mention the other partition size(s).
  #4  
Old July 18th 17, 08:10 PM posted to alt.windows7.general
T
external usenet poster
 
Posts: 4,600
Default Uninitialized disk

On 07/18/2017 09:41 AM, VanguardLH wrote:
4 GB is very v-e-r-y VERY small


Sorry, 4TB. I constantly keep calling TB BG.

:-(


  #5  
Old July 18th 17, 08:11 PM posted to alt.windows7.general
T
external usenet poster
 
Posts: 4,600
Default Uninitialized disk

On 07/18/2017 12:10 PM, T wrote:
On 07/18/2017 09:41 AM, VanguardLH wrote:
4 GB is very v-e-r-y VERY small


Sorry, 4TB. I constantly keep calling TB BG.

:-(



GB
  #6  
Old July 18th 17, 11:50 PM posted to alt.windows7.general
VanguardLH[_2_]
external usenet poster
 
Posts: 10,881
Default Uninitialized disk

T wrote:

On 07/18/2017 12:10 PM, T wrote:
On 07/18/2017 09:41 AM, VanguardLH wrote:
4 GB is very v-e-r-y VERY small


Sorry, 4TB. I constantly keep calling TB BG.

:-(


GB


Yeah, my keyboard is failing, too. Must be my keyboard. Can't be me.
  #7  
Old July 19th 17, 01:14 AM posted to alt.windows7.general
Ken Blake[_5_]
external usenet poster
 
Posts: 2,221
Default Uninitialized disk

On Tue, 18 Jul 2017 17:50:34 -0500, VanguardLH wrote:

T wrote:

On 07/18/2017 12:10 PM, T wrote:
On 07/18/2017 09:41 AM, VanguardLH wrote:
4 GB is very v-e-r-y VERY small

Sorry, 4TB. I constantly keep calling TB BG.

:-(


GB


Yeah, my keyboard is failing, too. Must be my keyboard. Can't be me.




You must be younger than I am! vbg
  #8  
Old July 19th 17, 07:57 PM posted to alt.windows7.general
Mark Lloyd[_2_]
external usenet poster
 
Posts: 1,756
Default Uninitialized disk

On 07/18/2017 02:10 PM, T wrote:
On 07/18/2017 09:41 AM, VanguardLH wrote:
4 GB is very v-e-r-y VERY small


Sorry, 4TB. I constantly keep calling TB BG.

:-(



I've sometimes make the mistake of using KB for RAM in modern computers.
The first computer I bought (in 1982) had 5KB (5120 bytes) of RAM.

--
Mark Lloyd
http://notstupid.us/

"COFFEE.EXE Missing - Insert Cup and Press Any Key to continue."
  #9  
Old July 20th 17, 06:38 AM posted to alt.windows7.general
T
external usenet poster
 
Posts: 4,600
Default Uninitialized disk

On 07/18/2017 03:50 PM, VanguardLH wrote:
T wrote:

On 07/18/2017 12:10 PM, T wrote:
On 07/18/2017 09:41 AM, VanguardLH wrote:
4 GB is very v-e-r-y VERY small

Sorry, 4TB. I constantly keep calling TB BG.

:-(


GB


Yeah, my keyboard is failing, too. Must be my keyboard. Can't be me.


No, not the keyboard. All me. I have the greatest keyboard
ever created: a Unicomp buckling spring keyboard.
  #10  
Old July 20th 17, 06:39 AM posted to alt.windows7.general
T
external usenet poster
 
Posts: 4,600
Default Uninitialized disk

On 07/19/2017 11:57 AM, Mark Lloyd wrote:
On 07/18/2017 02:10 PM, T wrote:
On 07/18/2017 09:41 AM, VanguardLH wrote:
4 GB is very v-e-r-y VERY small


Sorry, 4TB. I constantly keep calling TB BG.

:-(



I've sometimes make the mistake of using KB for RAM in modern computers.
The first computer I bought (in 1982) had 5KB (5120 bytes) of RAM.



I am always calling GB of ram, MB. I have to constantly
correct myself.

I remember strutting over 512 KB of ram!


 




Thread Tools
Display Modes Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off






All times are GMT +1. The time now is 09:46 PM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright ©2004-2024 PCbanter.
The comments are property of their posters.